Admin side data storage for Contact Form 7 <= 1.1.1 – Cross-Site Request Forgery | CVE 2024-1777 | Plugin Vulnerabilities

Description

The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the settings update function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

admin-side-data-storage-for-contact-form-7

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b411a97b-2f1c-4feb-b1c7-bc5a1aab7f33

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

zulu caPWN

Verified

No

WPVDB ID

9f30a7a7-054d-401e-b167-77a8a4516424

Timeline

Publicly Published

2024-02-22 (about 2 years ago)

Added

2024-02-22 (about 2 years ago)

Last Updated

2024-02-22 (about 2 years ago)

Other

Published

Title

Published

2023-12-27

Title

Thrive Automator < 1.17.1 - Cross-Site Request Forgery

Published

2025-04-09

Title

Mergado Pack <= 4.2.1 - Stored XSS via CSRF

Published

2025-09-22

Title

WorkScout-Core < 1.7.06 - Cross-Site Request Forgery

Published

2023-01-19

Title

SRS Simple Hits Counter < 1.1.1 - Settings Update via CSRF

Published

2022-02-21

Title

Hide Admin Bar Based on User Roles < 3.1.0 - Settings Update via CSRF